Definitive guide to: The following packages have been kept back

In virtually every installation of Debian -or derivative- it will happen that at some point during software management one will be prompted this message: The following packages have been kept back Let’s provide an example to make it clear.

Example

First, you ran:

apt-get update

and everything was fine. We can affirm the command reported a 0 exit code.

After this you ran:

sudo apt-get upgrade

if your OS‘ software gets updated often and if it is updated at the time of running the upgrade command the output will be like this:

[email protected]:~$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages have been kept back:
  cinnamon-screensaver
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

… and there is the weird message: The following packages have been kept back.

Is there something wrong?

No. There is no nothing wrong, instead, the message warns you about a situation in a package that requires the attention from the System Administrator. Also, the package manager is taking care to prevent software changes that might cause System instability, hence it prevented the update of that package.

So what happens?

The software manager detected changed dependencies of a package already installed. Those dependencies might break -and let me emphasize: or not– other installed software if the package marked as kept back is updated.

It is bad then…

No. It is not if you understand that You -as System Administrator- must pay attention to what you do as the ultimate manager of the software.

A package kept back means you must align their dependencies with those of the rest of the Operating System before it can be updated.

That package may remain as it is as long as it doesn’t interferes with future OS updates… or you might like to have it updated.

What’s next?

To update that package is a choice entirely yours.

Now, I want to take the opportunity to clarify what we understand for update and for upgrade in apt argot.

First, you keep updated packages installed in the distribution. That means you have applied patches on those packages that led them to their latest release.

Second, you perform an upgrade to the OS. This is a general view (borrowing this word from the database community) that aligns packages’ updates with the overall installed Operating System, hence, it installs the latest available patches -identified by the update commmand- for the packages while ensures the OS gets marked updated and remains stable. This is the case of a regular upgrade.

In addition to regular upgrades there are full OS upgrades. They behave this way: Perform a regular upgrade but they also modify the distribution version. This kind of upgrade only happens if the repositories listed in /etc/apt/sources.list are pointed to those of a newer release than current.

Technical solution

Our objective will be to release the kept back package from that status.

Prior to execute any software update you must identify what will be updated. Let’s investigate what dependencies changed in our example package, the cinnamon-screensaver package. Let’s see:

[email protected]:~$ sudo apt-get --with-new-pkgs upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
  cinnamon-screensaver-pam-helper
The following packages will be upgraded:
  cinnamon-screensaver
1 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 112 kB of archives.
After this operation, 21,5 kB of additional disk space will be used.
Do you want to continue? [Y/n]

From the output we can see the package cinnamon-screensaver-pam-helper is responsible to have the cinnamon-screensaver kept back. So, in this particular case we can argue that PAM changes implemented in the first are the ultimate reason that caused this situation. I am not going to dig further on those changes because that’s out of the scope of this paper, instead, I am going to pass on the following step of the technical solution.

Now, the previous command is waiting on a response from the System Administrator (SA). Let’s say “Y”, this is, the SA wants to continue. By doing this, the software manager will download the required files and will take the kept back package to the latest version.

Let’s check it out how it went through… First, let’s resynchronize the package index files from their sources, that means to run this well known command: apt-get update. It is expected a 0 return code. Then, re-run the apt-get upgrade command. The output ought be like this:

[email protected]:~$ sudo apt-get upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

And… voilà! This way we get rid off the possibly annoying and intimidating message: The following packages have been kept back.

Conclusion

The following packages have been kept back notice is your friend. It might be intimidating at first hand and even it is annoying, but, there is a reason for this to exist. It is in charge to tell you that as System Administrator you must assist the package manager to solve a situation where human judge is required.